Shortcuts

Search Users Guide

9.7. Bonding Interfaces

Support for bonding interfaces is currently available only for
Linux firewalls. A generated iptables script can incrementally
update bonding interfaces:

The generated script includes shell code to manage bonding
interfaces if the checkbox "Configure bonding interfaces" is
turned on in the "Script" tab of the firewall object
"advanced" settings dialog. By default, it is turned off.

The script uses ifenslave tool which
should be present on the firewall. The script checks if it
is available and aborts if it cannot find it.

The script creates new bonding interfaces with parameters
configured in the GUI if the module 'bonding' is not
loaded. This is what happens if the Firewall Builder script runs
after reboot.

if there are no bonding interfaces in fwbuilder
configuration, the script removes the bonding module to kill
any bonding interfaces that might exist on the machine.

If you add a second bonding interface in Firewall Builder, the
script checks if it exists on the machine. It will not
create it because to do so, it would have to remove the
module, which kills other bonding interfaces. If this
second bonding interface exists, it will be configured
with slaves and addresses. If it does not exist, the script
aborts. In this case you need to either (1) reload the module
manually or (2) add max_bonds=2 to /etc/modules.conf and
reboot or (3) unload the module and run the Firewall Builder script
again (if module is not loaded, the script loads it with
correct max_bonds parameter)

If a bonding interface exists on the machine but not in
Firewall Builder configuration, the script removes all slaves
from it and brings it down. It cannot delete it because
to do so it would need to remove the module, which kills
other bonding interfaces.

Note

There is a limitation in the current implementation in
that all bonding interfaces will use the same protocol
parameters. This is because module loading with parameter
"-obond1" that is supposed to be the way to obtain more
than one bonding interface and also the way to specify
different parameters for different interfaces causes
kernel panic in my tests. (Tested with bonding module
v3.5.0 and kernel 2.6.29.4-167.fc11.i686.PAE on Fedora
Core 11.) The only working way to get two bonding
interfaces I could find is to load the module with
parameter max_bonds=2, but this means all bonding
interfaces work with the same protocol parameters. If bond
interfaces are configured with different parameters in
fwbuilder, the compiler uses the first and issues a warning for
others.

To configure bonding interface, we start with an interface object
with name "bond0". Create this interface as
usual, open it in the editor by double clicking it in the tree,
rename it, and then and click "Advanced Interface Settings" button.
Set the type to "Bonding" in the drop-down list and set the other
parameters:

Figure 9.38. Bonding Interface Settings

To add regular Ethernet interfaces as slaves to a bonding
inetrface, copy and paste (or create) them so they become child
objects of a bonding interface. A bonding interface needs an IP
address as any other regular interface. Final configuration looks
like shown in Figure 9.39:

Figure 9.39. Bonding Interface bond0 with Two Slaves

If you only want to be able to use the bonding interface in rules,
then this is sufficient configuration. You can go ahead and add rules and place
object "bond0" in "Source", "Destination" or "Interface" column of
policy rules. If you want Firewall Builder to generate a script that
creates and configures this interface, then you need to enable
support for this by turning the checkbox "Configure bonding
interfaces" on in the "Script" tab of the firewall object settings
dialog:

Figure 9.40. Configuration of Bonding Interfaces Should Be Enabled in Firewall Settings Dialog

Now compile the firewall object, copy the generated script to the
firewall machine and run it there. If the script is started using the
command-line parameter "interfaces", it only configures interfaces
and IP addresses but does not load iptables rules. Here is how it
looks:

Note

Unfortunately, the generated script cannot manage bonding interface
parameters. If you change a bonding policy in the GUI, recompile it,
and run the script on the firewall, nothing will happen. You need
to either manually unload the module or reboot the machine. However,
if you add or remove Ethernet interfaces under the bonding
interface, the script will update its configuration accordingly
without the need to unload the module or reboot the machine.